• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Can I access website hosted over ipv4 using ipv6 ?

Started by pradeepchhetri, March 10, 2014, 08:25:17 AM

Previous topic - Next topic

pradeepchhetri

Hello,

I configured tunnel using HE's tutorial for getting ipv6 address. I am able to ping ipv6.google.com

$ ping6 2607:f8b0:4004:801::1005
PING 2607:f8b0:4004:801::1005(2607:f8b0:4004:801::1005) 56 data bytes
64 bytes from 2607:f8b0:4004:801::1005: icmp_seq=1 ttl=53 time=424 ms
64 bytes from 2607:f8b0:4004:801::1005: icmp_seq=2 ttl=53 time=427 ms

But whenever I am trying to access a website hosted only over IPv4, it is using my ipv4 address. Can't i configure in such a way that all my traffic (whether destination ip is ipv4 or ipv6) goes through the tunnel always and hence the server sees only my ipv6 address (never my ipv4 address)?

broquea

You could set up a nat64/dns64 gateway locally and disable all your internal IPv4, and run IPv6 only. It promises to be a fun project and then you'll turn it off when sites/applications using IPv4 literals breaks the experience. Otherwise no.

kasperd

Quote from: pradeepchhetri on March 10, 2014, 08:25:17 AMCan't i configure in such a way that all my traffic (whether destination ip is ipv4 or ipv6) goes through the tunnel always and hence the server sees only my ipv6 address (never my ipv4 address)?
No, that is impossible.

If the server is IPv4 only, the server is always going to see the client originating from an IPv4 address, no matter what you do.

You could throw an HTTP proxy into the mix and have it send an X-Forwarded-For header with the IPv6 address. But the server will still see the IPv4 address of the proxy, and unless the server has previously been configured to explicitly trust that IPv4 address, it is likely going to completely ignore the X-Forwarded-For header.

You could also configure NAT64 on your router. But that is not going to change what the server sees. Whether you use NAT44 or NAT64, the communication will still be IPv4 between the edge of your network and the server. All that changes is the protocol used between the client on your LAN and your NAT.

kasperd

Quote from: broquea on March 10, 2014, 10:42:42 AMand then you'll turn it off when sites/applications using IPv4 literals breaks the experience.
This is the canonical example of a situation where NAT44 works better than NAT64. Supposedly there are also situations, where NAT64 works better than NAT44.

I have been wondering if a tunnelbroker.net user could configure just the DNS64 setup on their network but not the NAT64 part. It could work if HE was running a NAT64, such that users do not have to run their own. I think such a setup would probably be closer to what was asked for.

However as far as I can tell, HE is not providing any NAT64. Has HE ever considered NAT64? Or has it simply been assumed, that none of the tunnelbroker.net users would make use of NAT64 even if it was available?

broquea

#4
The 'anycasted' nat64/dns64 service I set up there appears to still be working years later, and should only be usable for people connecting from 2001:470::/32
Since it wasn't really a publicized project, I'll not mention how to use it. Someone from HE can decide to do that. Or maybe this will alert them that it is still running after all these years :)

kasperd

Quote from: broquea on March 10, 2014, 02:53:46 PM
The 'anycasted' nat64/dns64 service I set up there appears to still be working years later, and should only be usable for people connecting from 2001:470::/32
Since it wasn't really a publicized project, I'll not mention how to use it.
If it was using the well-known NAT64 prefix, I would have found it already. So for some reason it must be using different addresses. One reason for not using the well-known prefix could be, that using an anycasted prefix can be a bit tricky. It may be easier to just use an anycast address for the DNS64 servers, and let the servers use a unicasted NAT64 prefix in replies. That way which NAT64 instance will be used is decided at the time of the lookup. The DNS64 server could even include two (or more) different prefixes in different AAAA records, such that clients can do failover between the NAT64 instances.

If that is how the setup looks, one just has to guess the DNS64 address in order to be able to use it.

kasperd

Quote from: kasperd on March 11, 2014, 02:59:25 AMone just has to guess the DNS64 address in order to be able to use it.
I have guessed that address. I see now what the quotes around anycasted are implying. Using a tunnel server in Frankfurt and connecting to an IPv4 address in Europe, my traffic got routed through a NAT64 in Fremont (based on reverse DNS on last hop before the NAT64). With that sort of latency, I don't see myself using that NAT64 for much.

Searching on Google I see 6 hits when searching for the IPv6 prefix of the NAT64 and 57 hits when searching for the IPv4 address. But zero hits when searching for pages mentioning both the IPv6 and IPv4 address.

broquea

Yeah the 'anycasted' aspect was one node is in FMT1 and the other in FMT2. Easier to service non-prod when you can drive down the street to the other facility :)

kasperd

Quote from: broquea on March 11, 2014, 10:59:36 AMEasier to service non-prod when you can drive down the street to the other facility :)
I know what it's like. I have previously had to service a production system with lots of moving parts nine time zones away.

eh58

Just wanted to thank kasperd because of his detailed answers. I had the same problem and kasperd's advices resolved it. Top Three Web Hosting Companies of 2016 - Compare Godaddy vs Hostgator vs Bluehost Reviews Pay Monthly - Domain Registrar Providing Cheap Web Email Hosting Plans Bluehost Discount Coupon - Best Promo Codes of 2016 Compare WordPress vs Drupal vs Joomla - Comparison of Top CMS of 2016 Best Web Hosting for Small Business and eCommerce Sites - Reviews 2016 Compare OpenCart vs Prestashop vs Magento - Comparison of Top Three Shopping Carts of 2016
:)